Security audit

PJ Moltbook Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Moltbook posting and voting, but it gives an agent broad authenticated social-action powers with weak user-confirmation boundaries.

Review this skill before installing if you care about your Moltbook identity. Only use it with a Moltbook API key you can revoke, require the agent to show the exact post/comment/upvote targets before acting, and avoid batch voting or automated anti-spam verification unless you explicitly want that behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill clearly instructs the agent to make outbound network requests to the Moltbook API via browser evaluate/fetch, yet no explicit permissions are declared. This creates a capability/permission mismatch that can lead to unintended or insufficiently governed external actions, especially because the skill performs state-changing operations like posting, commenting, and upvoting on the user's behalf.

Context-Inappropriate Capability

Low

Confidence: 77% confidence
Finding: `batchUpvote` enables repeated upvote actions in a loop, which is broader than the stated single-upvote workflow and can facilitate mass interaction abuse if an agent or prompt directs it at many posts. In a social/community platform context, this increases the risk of manipulation, spammy engagement, and rate-limit or policy evasion at scale.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase 'agent community' is generic and can match ordinary conversations unrelated to Moltbook, increasing the chance the skill activates unexpectedly. Because this skill can perform authenticated posting and voting actions, overbroad activation materially raises the risk of unintended external actions being proposed or executed in the wrong context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description does not clearly warn users that it will use their API key to perform authenticated actions that publish content, comment, and upvote on their behalf. In a skill with state-changing social actions, lack of clear disclosure undermines informed consent and increases the risk of users unintentionally authorizing reputation-affecting or irreversible actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: `autoVerify` silently solves the anti-spam challenge and issues an additional POST to `/verify` without an explicit user action or disclosure. In this skill context, that is more dangerous because the skill is designed to perform outward platform actions, so hidden follow-up requests can bypass user expectations and automate behavior meant to gate abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal